How do most data breaches occur? Who are the threat actors behind these cyber attacks? And what are key attacker motivations?
The 2020 Verizon Data Breach Investigations Report (DBIR) has the answers.
2020 DBIR cybercrime report and key statistics
Verizon says it sifted through more than 150,000 security events from the last year and that 3,950 of the confirmed data breaches met the quality standards necessary for the report. The things that follow are based on that data set.
What are the top 5 causes of data breaches?
The Verizon DBIR says tactics utilized or involved in confirmed data breaches are as follows:
• 45% of breaches featured hacking
• 22% included social engineering
• 22% were made possible by errors
• 17% involved malware
• 8% of breaches involved misuse by authorized users
Are you surprised that the number of successful breaches involving malware is all the way down at 17 percent?
The report addresses the likely reason:
"Malware has been on a consistent and steady decline as a percentage of breaches over the last five years. Why is this? Has malware just gone out of fashion like poofy hair and common courtesy?
No, we think that other attack types such as hacking and social breaches benefit from the theft of credentials, which makes it no
longer necessary to add malware in order to maintain persistence.
So, while we definitely cannot assert that malware has gone the way of the eight-track tape, it is a tool that sits idle in the attacker's toolbox in simpler attack scenarios."
Who are the top 3 actors in data breaches?
The DBIR report looks at the question of who is behind cyberattacks in a couple of different ways. The top three categories:
• 70% are external bad actors
• 55% are organized crime groups
• 30% involve internal actors
If you want to know more about the enterprise business model of cybercrime, listen to this podcast episode:
And what about the 30% of data breaches being linked to internal actors? Some are criminal in nature, like the case SecureWorld covered at AT&T Wireless, but the Verizon DBIR says many are mistakes:
"Admittedly, there is a distinct rise in internal actors in the dataset these past few years, but that is more likely to be an artifact of
increased reporting of internal errors rather than evidence of actual malice from internal actors."
Another way to look at who is behind data breaches? The top type of "actor varieties," which reveals more detail of the categories above.
The DBIR says the breakdown looks like this:
This reveals a sizable number of end-user and SysAdmin errors. At least they are primarily errors.
Also of note are the nation-state attacks.
"This pattern consists of espionage, enabled via unauthorized network or system access, and largely constitutes nation-states or state-affiliated actors looking for those oh-so-juicy secrets."
For more on nation-state cyberattacks in 2020 and beyond, listen to this podcast episode on geopolitics and the cyber threat landscape:
What are the motivations for criminal hackers according to DBIR 2020?
If nation-state actors want secrets and intellectual property, then what are criminal hackers and hacker groups all about?
Here is an area where there is a very clear signal from the Data Breach Investigations Report: 86% of breaches are financially motivated.
We're not surprised by this based on the stories SecureWorld reports on and the expert interviews we've done. We recently spoke to Vinny Troia, author of Hunting Cyber Criminals, about cybercriminal motivations:
"I mean, money, always money, money.
There's obviously the hunt and the kill, right? So they love being able to hack different websites and the and the notoriety of being able to do it. I think notoriety is a big thing, also, being able to have their name associated with this, you know, monster hack or whatever.
But look, at the end of the day, they're looking for money."
Listen to our podcast interview with Troia as he describes his regular communications with criminal hackers:
According to the Verizon DBIR, financially motivated social engineering keeps increasing year over year, because these financially motivated cyber attacks work:
"There is no malware component, as you would see in the more advanced nation-state scenario, nor is there any effort to gain a foothold and remain persistent in the victim's network. These are simply a 'get what you can when you can' kind of attack.
This is not to say that they cannot be sophisticated in the lengths the
adversary is willing to go to for success. In prior years, they would impersonate CEOs and other high-level executives and request W-2 data of employees.
They have largely changed their tactics to just asking for the cash directly— why waste time with monetizing data? It's so inefficient.
Their inventiveness in the pretext scenario to lend a level of believability to their attempt is a measure of how good these people are at their jobs."
There is much more in the Verizon DBIR, however, we hope this overview sheds light on data breach causes, actors, and motivations.